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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after t he mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

I) 13 Responsive to communication(s) filed on 2/02/07. 7/11/07 . 
2a)l3 This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) M Claim(s) 1.3. 7-10. 14. 15. 19 and 25-37 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) KI Claim(s) 1. 3. 7-10. 14-15. 19. and 25-37 is/are rejected. 

7) D Claim(s) is/are objected to. , 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

II) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (0. 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No, . 

3. Q Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

In view of the Appeal Brief filed on 7/1 0/07, PROSECUTION IS HEREBY REOPENED. A new 
ground of rejection is set forth below. 

To avoid abandonment of the application, appellant must exercise one of the following two 
options: 

(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 CFR 
1.113 (if this Office action is final); or, 

(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41 .31 followed by an appeal 
brief under 37 CFR 41 .37. The previously paid notice of appeal fee and appeal brief fee can be 
applied to the new appeal. If, however, the appeal fees set forth in 37 CFR 41 .20 have been 
increased since they were previously paid, then appellant must pay the difference between the 
increased fees and the amount previously paid. 

A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below: 



Response to Arguments 

Applicant's arguments with respect to amended claim 1 have been considered but are moot in 
view of the new ground(s) of rejection. The remaining new and amended claims are addressed 
below. 

CLAIMS PRESENTED 

Claims 1, 3, 7-10, 14-15, 19, and 25-37 are presented. 
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CLAIM REJECTIONS 

Claim Rejectio ns - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 102 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

2. Claims 1, 3, 7-10, 14-15, 19, and 25-37 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Goldfeder et al (US PGP No. 
20040230835), hereinafter Gold, and further in view of applicants* background 
information provided in applicants' disclosure, hereinafter background. 

As per claim 1, 25, 32: 

A computer implemented method for evaluating a security risk of an application, said method 
comprising the steps of: 

determining whether the application is shared by different customers; 

determining whether a third party can have unauthorized administrative authority to data 
maintained by said application; 

determining whether a third party can have unauthorized read and/or write access to data 
maintained by said application; 

assigning a numerical value or weight to each of the foregoing determinations, each of 
said numerical values or weights corresponding to a significance of the respective determination 
in evaluating security risk; and 

combining said numerical values or weights to evaluate security risk. 



Gold teaches the following: 



Application/Control Number: Page 4 

10/690,017 

Art Unit: 2136 

Gold teaches a mechanism for collectively evaluating security risks associated with 
loading an application. Trust evaluators are utilized in order to analyze and assess different risks. 
Upon completion of each security risk evaluation, results of each are returned to a trust manager 
responsible for aggregating the variety of security risks and making a security determination 
based on the aggregated evaluation results (see paragraph 0006). Examiner interprets the 
security determination taught by Gold to be analogous to the evaluation of security risk claimed 
by applicants. 

Gold mentions possible security risks being the type of environment the application is 
hosted on (see paragraph 0020), what rights and permissions the constituent components of the 
application desire (see paragraph 0021), viruses, and privacy concerns (see paragraph 0022). 
These are only examples of possible risks that are assessed by the trust evaluators. Gold goes 
on to mention that many other trust evaluators may also be used, as will be apparent to those 
skilled in the art (see paragraph 0035). 

Gold does not explicitly cite the application being shared by different customers, third 
party access, and unauthorized read and/or write access, as being possible security risks. These 
security risks are disclosed in applicants' background as prior art (see paragraph 0002). 
Examiner deems that it would have been obvious to one of ordinary skill in the art to evaluate 
these security risks and include them in the security determination based on aggregated 
evaluation results taught above by Gold. 

As per claim 3: 
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A computer implemented method as set forth in claim 1 further comprising the steps of: 
determining whether said application is subject to industry controls for security; and assigning a 
numerical value or weight to the determination whether said application is subject to industry 
controls for security, and using the numerical value or weight for the determination whether said 
application is subject to industry controls for security in evaluation security risk. 

[see Background, paragraph 0003] 
As per claim 7: 

A computer implemented method as set forth in claim 1 further comprising the steps of: 
determining whether a third party can have unauthorized read and write access to said data; and 
assigning a numerical value or weight to the determination whether a third party can have 
unauthorized read and write access to said data, and using the numerical value or weight for the 
determination whether a third party can have unauthorized read and write access to said data in 
evaluating said security risk. 

[see Background, paragraph 0002, "unauthorized access"] 
As per claim 8, 27: 

A computer implemented method as set forth in claim 1 further comprising the steps of: 
determining whether a vulnerability in said application can be exploited by a person or program 
which has not been authenticated to said application or a system in which said application runs; 
and 

assigning a numerical value or weight to the determination whether the vulnerability in said 
application can be exploited by a person or program which has not been authenticated to said 
application or a system in which said application runs and using the numerical value or weight for 
the determination whether a third party can have unauthorized read and write access to said data 
in evaluating said security risk. 

[see Background, paragraph 0002, "computer viruses and worms"] 
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As per claim 9: 

A computer implemented method as set forth in claim 1 further comprising the steps of: 
determining whether data maintained by or accessed by said application is confidential; and 
wherein the numerical value or weight assigned to the determination whether a third party can 
have unauthorized access to said data is based in part on whether said data is confidential, 
[see Gold, paragraph 0021 , "privacy information"] 

As per claim 10, 28, 34: 

A method as set forth in claim 1 further comprising the steps of: 

determining whether a customer has direct use of said application; and assigning a numerical 
value or weight to the determination whether a customer has direct use of said application, and 
using the numerical value or weight for the determination whether a customer has direct use of 
said application in evaluating said security risk. 

[see Gold, paragraph 0021, "...what rights and permissions and the constituent 

components of the application desire"] 

As per claim 12: 

A computer implemented method as set forth in claim 1 further comprising the steps of: 
determining whether there is an intrusion detection system and vulnerability scanning for said 
application; and assigning a numerical value or weight to the determination whether there is an 
intrusion detection system and vulnerability scanning for said application, and using the numerical 
value or weight for the determination whether a customer has direct use of said application in 
evaluating said security risk. 

[see Gold, paragraph 0035, "virus evaluator"] 
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As per claim 15, 29, 35: 

A computer implemented method as set forth in claim 1 further comprising the steps: 
determining whether there is a requirement for authentication of said application or a system in 
which said application runs to other systems before connection of said application or said system 
in which said application runs to said other systems; and assigning a numerical value or weight to 
the determination whether there is a requirement for authentication of said application or a 
system in which said application runs to other systems before connection of said application or 
said system in which said application runs to said other systems, and using the numerical value 
or weight for said requirement for authentication in evaluating said security risk. 

[see Gold, paragraph 0021 , "digital signature"] Examiner interprets reading the digital 
signature of an application to be equivalent to requiring it to authenticate. 

As per claim 19, 30, 36: 

A computer implemented method as set forth in claim 1 further comprising the step of comparing 
the evaluation of said security risk to a cost savings provided by said application, and determining 
whether to certify said application for use based in part on said comparison. 

[see Gold, paragraph 0038-39, "aggregate security impact exceeds some predetermined 
threshold... sufficient permissions [granted to allow] application to execute."] 

As per claim 20, 31, 37: 

A computer implemented method as set forth in claim 1 further comprising the step of comparing 
the evaluation of said security risk to a revenue provided by said application, and determining 
whether to certify said application for use based in part on said comparison. 

[see Gold, paragraph 0038-39, "aggregate security impact exceeds some predetermined 
threshold... sufficient permissions [granted to allow] application to execute."] 
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Conclusion 

3. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL See MPEP § 706.07(a). Applicant 
is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS 
from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the 
mailing date of this final action and the advisory action is not mailed until after the end of the 
THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the 
date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be 
calculated from the mailing date of the advisory action. In no event, however, will the statutory 
period for reply expire later than SIX MONTHS from the date of this final action. 

Any response to this Office Action should be faxed to (571) 273-8300 or mailed to: 

Commissioner for Patents 

P.O. Box 1450 
Alexandria, VA 22313-1450 

Hand-delivered responses should be brought to 

Customer Service Window 
Randolph Building 
401 Dulaney Street 
Alexandria, VA 22314 

*. Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Daniel L. Hoang whose telephone number is 571-270-1019. The examiner 
can normally be reached on Monday - Thursday, 8:00 a.m. - 5:00 p.m., EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached at (571) 272-4195. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
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applications may be obtained from either Private PAIR or Public PAIR. Status information for 
unpublished applications is available through Private PAIR only. For more information about 
the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to 
the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 
(toll-free). 




Daniel L Hoang 
11/10/07 




